c/mirror_zfs
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_zfs.git synced 2024-11-17 10:01:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Clarify and improve encryption documentation

Browse Source 
- Remove the language that "all user data" is encrypted.  This is to
  avoid misunderstandings or arguments about what is "user data",
  especially in light of "user properties".
- Document that properties are unencrypted.
- Document that snapshot names are unencrypted.
- For consistency with the rest of the zfs.8 man page, use "ZFS" as the
  generic noun, not (bolded) "zfs".  The latter refers to the command.
  Likewise, use "ZFS" instead of "the kernel module".
- Give "a passphrase" as an example of a "user's key".

Reviewed-by: Tom Caputi <tcaputi@datto.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: George Melikov <mail@gmelikov.ru>
Signed-off-by: Richard Laager <rlaager@wiktel.com>
Closes #8652
This commit is contained in:
Richard Laager 2019-04-24 19:14:25 -05:00 committed by Brian Behlendorf
parent 6e81f9b21b
commit 2b127afb44
1 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
man/man8/zfs.8
View File

@ -2380,17 +2380,19 @@ configuration is not supported.
.Ss Encryption .Ss Encryption
Enabling the Enabling the
.Sy encryption .Sy encryption
feature allows for the creation of encrypted filesystems and volumes. feature allows for the creation of encrypted filesystems and volumes. ZFS
.Nm will encrypt file and zvol data, file attributes, ACLs, permission bits,
will encrypt all user data including file and zvol data, file attributes, directory listings, FUID mappings, and
ACLs, permission bits, directory listings, FUID mappings, and userused / .Sy userused
groupused data. /
.Nm .Sy groupused
will not encrypt metadata related to the pool structure, including dataset data. ZFS will not encrypt metadata related to the pool structure, including
names, dataset hierarchy, file size, file holes, and dedup tables. Key rotation dataset and snapshot names, dataset hierarchy, properties, file size, file
is managed internally by the kernel module and changing the user's key does not holes, and deduplication tables.
require re-encrypting the entire dataset. Datasets can be scrubbed, resilvered, .Pp
renamed, and deleted without the encryption keys being loaded (see the Key rotation is managed by ZFS. Changing the user's key (e.g. a passphrase)
does not require re-encrypting the entire dataset. Datasets can be scrubbed,
resilvered, renamed, and deleted without the encryption keys being loaded (see the
.Nm zfs Cm load-key .Nm zfs Cm load-key
subcommand for more info on key loading). subcommand for more info on key loading).
.Pp .Pp
@ -2432,8 +2434,7 @@ read-only
.Sy encryptionroot .Sy encryptionroot
property. property.
.Pp .Pp
Encryption changes the behavior of a few Encryption changes the behavior of a few ZFS
.Nm
operations. Encryption is applied after compression so compression ratios are operations. Encryption is applied after compression so compression ratios are
preserved. Normally checksums in ZFS are 256 bits long, but for encrypted data preserved. Normally checksums in ZFS are 256 bits long, but for encrypted data
the checksum is 128 bits of the user-chosen checksum and 128 bits of MAC from the checksum is 128 bits of the user-chosen checksum and 128 bits of MAC from